Paige Thompson "erratic"

Paige Thompson worked as a systems engineer at Amazon Web Services in 2015 and 2016. By 2019 she was living in Seattle with a tech-employment history but periods of instability, dealing with mental-health diagnoses and a family situation she described publicly as challenging. In March of that year she found a misconfigured web application firewall on a Capital One environment, used a server-side request forgery to extract the credentials of an AWS role attached to that firewall, and downloaded approximately 700 storage buckets containing the credit-card application data of 106 million people in the US and Canada.

Thompson didn’t sell the data. She posted samples to GitHub and discussed the intrusion in a public Slack channel under the handle “erratic”. A reader of that Slack channel noticed the bank’s name in some of the file paths and tipped Capital One on 17 July 2019. She was arrested on 29 July.

Convicted in 2022 of seven federal computer-fraud counts, Thompson was sentenced to time served and five years of probation. The judge declined the prison sentence the prosecutors had asked for, citing her mental health, the lack of evidence the data had been sold or used for further fraud, and what the judge described as a credible reform trajectory. The case is studied as the first major example of a US federal court applying a consciously different sentencing framework to a non-financially-motivated cybercrime defendant — and as a reminder that the gap between “competent technical worker who makes a series of impulsive decisions” and “convicted federal cybercriminal” is shorter than enterprise security tooling typically assumes.